Skip to main content
arrow-left Back to Docusign.com

We are using the embedded signing, so the users do not have to leave our app which means we are using the APIs to facilitate this. We are trying to automate the process of onboarding/auto-provisioning users into DocuSign so they don’t have to go to the DocuSign site first. 

 

We have Auto-Provisioning turned on and it works when a user logs into the portal.

 

My question is, should the auto-provisioning work through the API’s where if we search for a user's email, it will automatically add them if they exist within our domain. Or do we need to have a process that checks if a user exists in DocuSign and add the user if they do not.

Hello, ​@Nicholas H. 

 

If you’re using SSO, I supposed that you add first a new user in the Domain’s Active Directory, right? Doing that you’re using a unique email for the new user, thus you don’t need to check it before at Docusign because Docusign will not permit duplicate users’ emails.

Is that your question? Or I understood wrongly?

 

Best,

Alexandre

Hi ​@Alexandre.Augusto,

Thank you for your reply. We are doing it through SSO and we have 2 domains setup and an Azure security group that contains the users that have access. This does use the unique emails that are part of our domain. The question is more about the auto-provisioning… here is a sample scenario where it works as expected:

  1. I add a new user to our security group
  2. The user goes to Docusign and logs in using “Company Login”
  3. The account is auto-provisioned
  4. They can view their dashboard in Docusign

 

My Issue:

  1. I add a new user to our security group
  2. The application generates a new document via API (User has never logged into Docusign portal)
    1. To do this it searches for the user to get their ID for the signature assignment
  3. An error is received that the user does not exist (from the user search)

 

Should the API be auto-provisioning based on the security group that is linked? If not, is there a way to push the users from our security group into Docusign before we attempt to create the signatures?

 

I hope that helps explain more about what I am running into and what we are trying to do.

 

 

OK, I get it.

What’s the entire error message?

Thanks,

Alexandre

@Nicholas H. 

If you are using Microsoft, check this article:

https://learn.microsoft.com/en-us/entra/identity/saas-apps/docusign-provisioning-tutorial

 

Best,

Alexandre

@Alexandre.Augusto ,

The error code is: USER_LACKS_MEMBERSHIP

Message is: The UserID does not have a valid membership in this Account

 

I will check out the link you sent and try to verify with our AD team the configuration.

You can use Docusign Admin API to create a new eSignature user and activate their account automatically. Please note that the auto-activation only available for users with an email address domain that your organization has claimed.

More information about how you can do it is here: https://developers.docusign.com/docs/admin-api/how-to/create-active-user/

@Byungjae.Chung ,

Yeah, I was trying to avoid having to do a bunch of API calls on our app just to get users into the system. 

 

I tried the Automated Provisioning that ​@Alexandre.Augusto suggested, and it looks like it is working as expected but the problem is that it is provisioning the users onto another account not under the Organization that is linked to our Microsoft AD. I am waiting to hear back from DocuSign support why that would be… all the ID’s point to the one I have been using but they got added to the separate account..

 

Here is an example scenario that would hopefully help visualize what is happening. 

Microsoft AD

  • Confirmed with our AD team that it is pointing to the Company Org below

Company Org (SSO/SAML connection)

  • Account 1 (default - the one I have been working with)
  • Account 2

 

Account 3

  • I think this was setup years ago by our org when they first attempted to get DocuSign integrated and is not connected to our Company Org or the SSO/SAML from what I can tell.
  • This is where the users are being sync’d from Microsoft AD.

Do you query the accountid of the user by get userinfo or manually with correct accountid parameter in the configuraton?

 

FreeLink/甫连信息

🌍 Docusign Partner | Partner Profile

🏆 Docusign 2024 APAC Reseller Growth Partner of the Year

🌟 The only Docusign Partner globally certified as both a Certified eSignature Administrator and eSignature Technical Consultant.

📊 Docusign Community Leaderboard Top 5 contributor.

🚀 Expertise in Docusign integrations with on-premises systems for leading enterprises across various industries.

Ideally, it would be nice to have the users auto-provisioned and then when creating the signatures, lookup the users by their email address which is in our domain to get their ID. This is what I have setup now.

 

But in lieu of the auto-provisioning not working correctly/as-expected right now, I added an extra step to search for the user and if they don’t exist, then add the user record before creating the signature for the form. This might be the best approach in the interim… it’s a few more API calls but at least it can proceed with sending the document for signing.

Just to put a conclusion to this thread, in the end it turns out that there was a Production Account setup before my involvement in our organization. Apparently, that is the one that is linked to the Domains and User-Provisioning which is why the user were not sync’d to the Development Account. 

 

The solution that we are going with for the time being is utilizing the API’s and having to check to see if the user exists via the search API. If their record is missing, then adding the user via API. This works out because we need their DocuSign ID regardless to create the Signature on the Document. 

Reply


Code of Conduct

Docusign Community

Code of Conduct